• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 247
  • Last Modified:

Firewall (iptables) Rules

I've installed one linux pc and one windows 98 at home. The linux box serves as a gateway to the Internet connection. Currently, I'm trying to mess around with the ip filtering (iptables) stuffs on the linux box.  my question is:
Does the ip filtering rules have any effect on the speed of the internet connection (particularly web surfing)? It seems that the web pages are loaded faster without any ip filtering rules than with ip filtering rules, is this true? Anyone can provide some sample rules for the web surfing (for INPUT,OUTPUT,and FORWARD tables)?
thank you.
0
viansoo
Asked:
viansoo
1 Solution
 
TheAmigoCommented:
Running Linux on a P-166 using ISA 10Mbps NICs as my router, I'm not seeing any slowdowns.  Average of 12ms ping times via cable modem.

What rules do you have now?  You can list each of the three tables like this:
iptables -L -v -t nat
iptables -L -v -t filter
iptables -L -v -t mangle

Did you write the rules by hand or use something like FirewallBuilder to generate the rules?
0
 
viansooAuthor Commented:
TheAmigo: i write the rules manually by hand. Do you have any sample rules e.g. to allow web (port 80) access for INPUT,OUTPUT,FORWARD chains?
0
 
TheAmigoCommented:
If you just want to allow outbound traffic (so you can browse the web from any machine at home), then you can add these three rules:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -j ACCEPT

of course, that assumes that eth1 is external, eth0 is internal, your internal subnet is 192.168.0.0 and you aren't browsing from the Linux box itself.  It also doesn't allow inbound traffic so you'd need extra rules if you're acting as a web server.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
bryanbelCommented:
###########################################################
#
# This script flush and allow all connections to the internet.
# Also blocks ports from intruders.
#
#
###########################################################

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter


iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

# Allow loopback access. This rule must come before the rules denying port acces
s!!

iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT


#Block all ports (Method 2)
#******************************************************
#iptables -A INPUT -p tcp --syn --destination-port 21 -j ACCEPT
#iptables -A INPUT -p tcp --syn --destination-port 21 -i eth1 -j ACCEPT
#iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
#iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
#iptables -A INPUT -p tcp --syn -j DROP


#Block ports (Method 1)
#*****************************************************
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1024 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 36794 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP

#NOTE : You can either use method 1 and method 2 but not both
#
#
#  HOPE THIS HELPS

0
 
CleanupPingCommented:
viansoo:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
juliancrawfordCommented:
No comment has been added lately, so it's time to clean up this TA.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept: TheAmigo {http:#8189216}

Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Julian Crawford
EE Cleanup Volunteer
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now